RelationalDBDesign RelationalDBDesign


Managing Storage   «Prev  Next»
Lesson 6 New security features
Objective Describe security management improvements.

Oracle Database 11g Release 2 (11.2.0.2) New Security Features

Enhancements to Fine-Grained Access to External Services and Wallets

In this release, when you use fine-grained access control to configure external network services and wallets, you now can control access to the DBMS_LDAP PL/SQL package. In a default database installation, this package is created with the EXECUTE privilege granted to PUBLIC users. This release enhances the security of this package by enabling you to control access to applications in the database that use this package. As part of this enhancement, the DBMS_LDAP package is now an invoker's rights package. Before a user can connect to a remote network host, he or she must be granted the connect privilege in the access control list that was assigned to the remote network host.See Oracle Database PL/SQL Packages and Types Reference for more information about the DBMS_LDAP package.

Support for MERGE INTO Statements for Virtual Private Database Policies

In previous releases of Oracle Database, when you created an Oracle Virtual Private Database policy on an application that included the MERGE INTO statement, the MERGE INTO statement would be prevented with an ORA-28132: Merge into syntax does not support security policies error, due to the presence of the Virtual Private Database policy. In this release, you can create policies on applications that include MERGE INTO operations. To do so, in the DBMS_RLS.ADD_POLICY statement_types parameter, include the INSERT, UPDATE, and DELETE statements, or just omit the statement_types parameter altogether.

There are so many new ideas in Oracle's documentation for security and password management, it may be hard for you to decide where to begin.
The concepts introduced with Oracle10g are intended to simplify the overall management of security, but it will take some study and experimentation on your part to decipher all the choices and determine what portions are best for your particular circumstances.
The MouseOver below shows a variety of the security choices available to you if you are using a combination of Internet and intranet applications. A module later in this course goes into more detail on all of these choices plus a few more.

  1. Oracle Advanced Security, a tool that replaces the older Oracle Security Server, authenticates users when they log in to the network and transmits that data to an application or to the database. Password complexity checking (requiring a password that is statistically more difficult to guess) is one of the features available
  2. Oracle Advanced Security is compatible with Secure Socket Layer (SSL) protocol and therefore can be used with your Web applications.
  3. Oracle accepts application context as a security level. Whenever the application works with the database, it is restricted to a pre-define set of privileges.
  4. A new concept, called the virtual private database, sets row-level security with a context-sensitive WHERE clause stored in each table or view. The WHERE clause is attached to every query (or other command) run against the table or view. For example, suppose a table has a WHERE clause that limits queries to the rows inserted by the user. Because of this, selecting all rows from the table returns different results for User A and User B.
  5. Another new idea, called integrated directory and security service, provides a tool called the Oracle Wallet Manager. If you define user access to directories in the database, the directory receives a special wallet file (this is standard SSL technology) that attaches to the directory and restricts user access even if users reach the file from outside the database.

Oracle Advanced Security
Many more options exist from which to choose, and you can explore them later in this course.
The next lesson while conclude this module.